Friday, September 11, 2009

Are your patients' health information protected enough to save you from the FTC or the new HIPAA under ARRA rules

With the new burden of newer fines and higher penalties from the modified HIPAA under the ARRA, and the new FTC “Red Flag” regulations, now healthcare organizations must re evaluate their current security protocols and infrastructure to keep the HIPAA auditors at bay.

In today’s fast moving technology, it is very hard for anyone to ensure that the next web site they visit will not install harmful Trojans, that can potentially logged every key stroked, or simply steal some files from their computer that could contain private health information.

Everyday Americans fall victim to identity theft because of information being stolen from computers in healthcare environments. And that includes having their health records used or insurance information to obtain health services and procedures. We are accustomed to hearing that most data breaches occur at large scale operations such as the heartland breach that hackers had potential access to the personal data of 600 million or more cardholders, even few years before that, the story of the chain TJX that had more than 45 million customers data compromised. But all these are extremely hard to accomplished, and require sophisticated and most advanced hackers. But what if you were told that your doctor’s office would be the next target right now, right out of their parking lot? Or what If a simple URL can land one of your nurses on the wrong web site that will automatically install a Trojan, which in turn will gain access to health data.

There are several threats you should be aware of as a consumer or a healthcare administrator. Again, the intent of this article is not to force you completely get rid of your computers and wireless networks, but it is to provide you with information that can assist in understanding your environment and the potential areas that may need to be reviewed.

Internal Threats:
The internal threads to your patient data can be identified in many areas. Just to give you an example, last week I visit with few technicians over a medium healthcare office, and as we were going through the DR planning (Disaster Recovery Planning), I asked about the offsite back up. To my surprise I received the following statements “We are covered on that, I take the tapes with me home”, I did not put too much though into it as I asked the next question assuming that the answer would have been yes. “Well, I am sure the backups are password protected and you are encrypting it right!”. Wrong, I received the following reply “Why? They are already in a tape, you think a thief will know how to restore from a tape”. Puzzled and disappointed I began to explain that it would be wiser to find a more secure method to store the sensitive patient information, and explaining how that can really jeopardize the practice and potentially open the door for possible law suits. After I went back to the office, I did a simple search in Google for “How to restore from a tape” and found the following: Results 1 - 10 of about 3,720,000 for How to restore from a tape. (0.16 seconds) . It was clear to me that there was a disconnect between the IT and Privacy and Security requirements. It is critical that sensitive data must be secured, and should not be transported offsite on laptops, tapes or hard drives without the appropriate encryption and protection.

Another internal threat would be the viruses or Trojans that find their ways into computers that are either unprotected or simply have expired Antivirus. Many of these infections originate from web sites that the users visited by mistyping a URL or simply clicking on the wrong link from a personal email. This has been a commonly used method by hackers to gain access to private information on computers through Trojans, key loggers and other remote control methods.

In a world where there are all too many horror stories of scammers, we begin to hear about cases of patients using factitious identity or posing as someone else, and using their insurance cards to gain access to cosmetic or medical procedures where the victim becomes responsible for picking up the tab. We are in an environment where a patient rushing their child to be seen for an illness and they say “their spouse has the insurance card” while the front desk feels obligated to let them be seen, and later come to the realization that the practice now has to write-off the costs of the procedures and treatment after realizing that their insurance was terminated or was not even for the right person. An insurance card does not present the practice with a picture ID, and in many cases where a valid license is and can be a requirement for the patient, many seem to not require that verification and increase the risk of false identity. This becomes a bigger issue as much of the current proposed health reform where the practice will not be able to bill the victim for the balance nor their insurance for a case stolen of identity.

For the most part all health organizations have some sort of firewall already established. This is the device that protects them from outside intruders. But without the right hardware, you are left with a firewall that a hacker can easily discover the default password to, and remotely gain access to your network, or even

With that being said, I have found numerous times where health organizations use a common tool that allows them to logon remotely to their servers such Microsoft Remote desktop (RDP) without VPN (Virtual private network). That means that the server is exposed to the internet through a specific port that hackers can attempt to use to gain access. Some cases Brute force is used (where a dictionary of password is used to try several combinations of passwords for the administrative user), others just a matter of a previous employee still having an active account can gain access, take the data and sell it for profit.

While the above two require fairly advanced knowledge of hacking, there are always few simple ones that can truly be a very easy way to tap into your system or infrastructure. Wireless!!! In many cases if you approach a hospital the wireless infrastructure is so advanced and robust that you can actually detect if there is any attempt to connect to the network without being on the safe list of devices allowed, you can even detect if someone plugs in a new wireless network within the hospital wireless range. But the challenge here again, is that we are discussing the vulnerability of some of our small to mid practices. The ones that simply can not justify the cost of a $800 or more for a single access point. These are the cases where a simple low cost access point, that you plug and play allows you to get on a “secured” wireless can easily be cracked. WEP (some of the commonly used encryption methods by small practices) has poor architecture, and has been identified in the hacker community you can find posts that show you “How To Crack 128-bit Wireless Networks In 60 Seconds”.

The consequences:
In previous years, the above threats would have most likely been considered urgent but not important. Let’s face it, there was no real threat out there to begin with. As a matter fact, even the office that was meant to enforce the HIPAA rules had not levied a single penalty against any HIPAA-covered entity in nearly five years since they began its implementation. What has changed that would force everyone to really take a good look on their current security and privacy readiness. Well, as part of the new ARRA few modifications to the law have been made under (Sections 13409-13411):

• Congress gave state attorneys general authorization to enforce the HIPAA thought civil enforcement actions
• It makes the business associates directly responsible for complying with key HIPAA privacy and security provisions. This meant that the cleaning crew, the third party IT support provider, software vendor, accountant and anyone that comes in contact with your infrastructure or medical and insurance information is sharing the responsibility and potentially liable.
• Fines have dramatically increased under the ARRA fines. You maybe imposed to pay up to 50,000 dollars per violation per calendar year and up to 1.5 million dollars.
• HHS is required to impose civil monetary penalties in circumstances where it finds that a HIPAA violation was willful.
• The criminal provisions were expressly made applicable to individuals.
• The HHS Secretary is now required to conduct periodic audits for compliance with the HIPAA Privacy and Security Rules.

Things to do to help you:

• Implement Password expiration and complexity policies
• Implement strict internet use policies for employees
• Ensure that your IT team properly secures your patient data repository services
• Run periodically security auditing tools
• Ensure that you are using antivirus on every piece of equipment that is connected to your network including cell phone as well.
• Ensure that your backups are password protected, encrypted and properly stored
• Ensure that your business associates agreements reflect the new changes and explain to your vendors what they mean and that their liability insurance covers the extent of the fines and costs that can be a result of data breach
• Ensure that your wireless is using stronger encryption method
• Require patients to present photo ID during registration and ensure you have a B&W copy of it (Color copies are illegal in NC).
• Use biometric check-in devices that ensure the identity of the patient if you are looking for a secure and fast way to identify and check-in patients
• Use network appliances that add an additional layer of protection against SPAM, email viruses and block unwanted traffic from web sites.
• Train and educate staff on proper internet use


Whether you are still using paper charts or completely paperless, patient privacy and security must be a high priority in your list, whether the ARRA enforces the new rules or not. Your clients your patient’s data protection must be addressed. It is like having health insurance, without it, you are taking major risks. There are several organizations that provide you with assistance or HIPAA audits. Some of which are freely available online. Your help desk and engineers need to understand the consequence as well as the importance of implementing the right technologies that are proactive in detecting intrusion as well as protecting all assets in your infrastructure.
Reda Chouffani

No comments: